Use FactoryTalk Security with the Logix Designer application
About the Security Feature
The Security feature lets you control the individual users’ access to the Logix
Designer application projects and controllers. Using FactoryTalk Security software,
you control access to your projects and controllers based on the following:
- The individual user logged into a workstation
- The project the user is attempting to access
- The workstation from which the user is attempting to access the project
For details see the FactoryTalk Security System Configuration Guide:
Start > Programs > Rockwell Software > FactoryTalk Tools > FactoryTalk
Security System Configuration Guide
.
NOTE:
The
security feature is primarily intended to prevent accidental unauthorized access
to your projects and controllers. It is important to note that while the feature
does provide some protection against intentional unauthorized access, it is not
intended to provide protection against sophisticated system hackers. You should
exercise your own additional precautions against such unwanted
access.
FactoryTalk Security grants or denies access based on the following pieces of
information.
- User ID (that is, the user’s login name)
- Workstation ID
- Action name (that is, the activity the user is trying to perform, such as tag modification, or processor mode change)
- Resource name (that is, controller name)
In addition, you can group resources, actions, persons, and workstations via access
control lists, which define certain characteristics to determine access levels.
Launching the Logix Designer application from a remote computer
To allow users to launch the application from a remote computer may require changing
the default security settings in the FactoryTalk Network Directory.
When logging on remotely and trying to launch the application, the user is prompted
to Log On to FactoryTalk. After providing the proper credentials, the user is still
unable to log on. This happens because the policy Require computer accounts for all
client machines is enabled by default and the remote computer is not in the
FactoryTalk Directory computer list.
To resolve the remote access issue:
- Add the remote computer to the FactoryTalk Network Directory or
- Change the security policy setting, Identify terminal server clients using the name of to Server Computer.
For details see Set up security policies and Add a computer account in the
FactoryTalk Administration Console
help.
NOTE:
In the case where a FactoryTalk administrator is logged on
to the FactoryTalk Network Directory and Single Single-on is enabled, the client
launches the Logix Designer application using the active administrator account. For
details see Single Sign-on in the
FactoryTalk Administration Console
help. The Logix Designer application and FactoryTalk security
When used with the Logix Designer application, FactoryTalk Security supports Product
Policies and Securable Actions. These FactoryTalk Security settings are configured
in the FactoryTalk Administration Console.
Product Policies are not tied to a specific project, and may include the
following.
- Securing the controller
- Creating a new project (either through the New Controller dialog box, or through the Translator Tool utility)
- Updating your firmware
Securable Actions let you perform specific tasks on a specific project or group of
projects, and may include the following.
- Viewing a project
- Going online
- Creating tags
- Creating modules
In a safety controller project, you can specify additional protection to safety
components. For example, to create a safety program, you need to have access granted
for both of these securable actions:
- Safety: Modify Component
- Program: Create
In the
Logix Designer
application: - Security settings are obtained from the FactoryTalk Network Directory.
- RSSecurity Emulator is not used by the Logix Designer application, but may be required by other software.
- FactoryTalk Local directory is not supported.
- FactoryTalk Services Platform version 2.50 (SR5) or later supports associating the project with a specific FactoryTalk Directory.
Product policies and securable actions
The Product Policies and Securable Actions listed here are configured in the Network
Directory using the FactoryTalk Administration Console. For details see the
FactoryTalk Security System Configuration Guide
.Product policies
Grant access to these actions | To allow a user to |
|---|---|
Controller: Secure | Secure a project or controller. |
Firmware: Update | Update controller firmware.
NOTE:
If
the project is secured, the Securable Action
(Firmware:Update) is also required to perform firmware
updates. Firmware updates can be initiated within the Logix
Designer application WhoActive dialog box if a project is
open but not when the controller is online.
|
Print: Modify Options | Modify print options. |
Project: New | Create a new project, import a project or translate
PLC5/SLC. |
Toolbar: Configure | Move, resize, hide or show toolbars. |
Workstation: Modify Options | Modify workstation options. |
Securable actions
Grant access to these actions | To allow a user to |
|---|---|
Add-On Instruction: Create | Create a new Add-On Instruction. |
Add-On Instruction: Delete | Delete an Add-On Instruction. |
Add-On Instruction: Modify | Edit Add-On Instruction properties, tags, logic or whether a user
can configure source protection. |
Alarm: Clear Alarm Log | Clear the contents of the alarm log from the controller. |
Controller: Clear Faults | Edit the fault log, including clearing faults. |
Controller: Lock/Unlock | Lock or unlock the controller for online edits. |
Controller: Modify Mode | Change controller modes. |
Controller: Modify Properties | Edit controller properties. |
Controller: Modify Revision | Convert the .acd file to a higher revision. |
Controller: Modify Type | Change controller types. Note: If a user is granted Controller: Modify Revision
privilege, but is denied Controller: Modify Type, then he will
typically be unable to change the type of controller. However,
during database conversion, it may be necessary to change the
controller type because the old controller type is obsolete in
the target revision. In this case, these users are allowed to
change the controller type during conversion. |
Controller: Unsecure | Unsecure a secured controller. |
Firmware: Update | Use the Logix Designer application to update controller
firmware. Note: The Product Policy (Firmware:Update) is also
required to perform firmware updates. Firmware updates can be
initiated within the Logix Designer application WhoActive dialog
box if a project is open, but not when the controller is online.
|
Language: Modify Properties | Associate project documentation with a language, set default
language, add or delete a language. |
Language: Switch Language | Select a different language for product documentation. |
Module: Create | Create modules in the Controller Organizer. |
Module: Create and Safety: Modify Component | Create safety I/O configuration. |
Module: Delete | Delete modules in the Controller Organizer. |
Module: Delete and Safety: Modify Component | Delete safety I/O configuration. |
Module: Maintenance High | Perform high impact operations such as module reset and
calibration. |
Module: Maintenance Low | Perform low impact operations such as resetting electronic
fuses. |
Module: Modify Properties | Edit module properties. |
Module: Modify Properties and Safety: Modify Component | Modify safety I/O configuration. |
Motion: Command Axis | Perform axis direct commands. |
Motion: Modify Configuration | Modify axis, coordinate system, or motion group
properties. |
Nonvolatile Memory: Load | Load from non-volatile memory. |
Nonvolatile Memory: Store | Store to non-volatile memory. |
Phase: Create | Create equipment phases. |
Phase: Delete | Delete equipment phases. |
Phase: Manual Control | Manually control equipment phases. |
Phase: Modify Properties | Edit equipment phases. |
PLC/SLC: Modify Tag Mappings | Map PLC or SLC messages. |
Print: Report | Print reports. |
Program: Create | Create programs. |
Program: Create and Safety: Modify Component | Create a safety program. |
Program: Delete | Delete programs. |
Program: Delete and Safety: Modify Component | Delete a safety program. |
Program: Modify Properties | Edit program properties. |
Program: Modify Properties and Safety: Modify Component
2 | Modify properties of a safety program. |
Program: Modify Properties and Safety: Modify Component | Change class property of a standard program to safety. |
Project: Compact | Compact a project file. |
Project: Download | Download a project to a controller. |
Project: Export | Save a project in .L5K or .L5X format. |
Project: Go Online | Go online with a project. |
Project: Modify Path | Set, clear, or modify the controller path associated with a given
project. |
Project: Open | Open a (read-only) version of the project. Note: If users do not have the ability to open and view
the project, they do not have the ability to do anything else
with it. |
Project: Save | Save a project. |
Project: Save As | Save a project to a new .acd file. |
Project: Upload | Upload a project from a controller. |
Routine: Create | Create a routine. |
Routine: Create and Safety: Modify Component | Create a safety routine. |
Routine: Delete | Delete a routine. |
Routine: Delete and Safety: Modify Component | Delete a safety routine. |
Routine: Manual Control | Manually control routine logic. |
Routine: Modify Logic | Edit routine logic. |
Routine: Modify Logic and Safety: Modify Component | Edit safety routine logic. |
Routine: Modify Properties | Edit routine properties, configure routine source
protection. |
Routine: Modify Properties and Safety: Modify Component | Edit safety routine properties. |
Safety: Generate/Delete Signature | Generate or delete a Safety Signature. |
Safety: Lock/Unlock | Lock or unlock edits on safety application. |
Safety: Lock/Unlock | Modify safety lock or unlock passwords. |
Safety: Modify Component | Create, delete, or modify safety components. Note: The standard component privileges are required in
addition to this privilege. For example, to create safety tags,
Tag: Create is required in addition to Safety: Modify
Components. |
Safety: Modify Properties | Modify the controller's safety configuration. |
Safety: Modify Tag Mappings | Create safety tag mapping. |
Safety: Modify Tag Mappings | Delete safety tag mapping. |
Safety: Modify Tag Mappings | Modify safety tags mapped to standard tags. |
Tag: Create | Create tags. |
Tag: Create and Safety: Modify Component | Create a safety tag. |
Tag: Delete | Delete tags. |
Tag: Delete and Safety: Modify Component | Delete a safety tag. |
Tag: Delete, Safety: Modify Tag Mappings, and Safety: Modify | Delete standard tag that is mapped to a safety tag. |
Tag: Force | Force tags and enable or disable existing forces. |
Tag: Force and Safety: Modify Component | Force safety tags. |
Tag: Modify Constant Property | Change Constant property of a tag. |
Tag: Modify Constant Tag Values | Change values of a Constant Tag. |
Tag: Modify Properties | Edit tag properties. |
Tag: Modify Properties and Safety: Modify Component | Edit safety tag properties. |
Tag: Modify Properties and Safety: Modify Component | Change class property of a standard tag to safety. |
Tag: Modify Properties and Safety: Modify Tag Mappings | Modify safety or standard tag properties of a tag contained in a
safety mapping. |
Tag: Modify Values | Change tag values. |
Tag: Modify Values and Safety: Modify Component | Change safety tag values. |
Task: Create | Create tasks. |
Task: Delete | Delete tasks. |
Task: Modify Properties | Edit task properties, including program scheduling. |
Task: Modify Properties and Safety: Modify
Component 1 | Modify safety task properties. |
Trend: Create | Create trends. |
Trend: Delete | Delete trends. |
Trend: Modify Properties | Modify trend properties. |
Trend: Run | Run trends. |
User Defined Type: Create | Create user-defined data types or string types. |
User Defined Type: Delete | Delete user-defined data types or string types. |
User Defined Type: Modify | Edit user-defined data types or string types. |
Note 1: The safety task max scan time and max/min interval scan timers can be reset, regardless of the protection.
Note 2: A safety program’s max scan time can be reset, regardless of the protection.
Provide Feedback